Author: Harold Byun, Skyhigh Networks
Cyber criminals are clever and know how to evolve – you’ve got to give them that. They’ve proven this once again with their latest cyber attack strategy, the Watering Hole Attack, which leverages cloud services to help gain access to even the most secure and sophisticated enterprises and government agencies.
Attacks Used to be Humorously Simple
In earlier days, attackers operated more simply using emails entitled “ILOVEYOU” or poorly worded messages from Nigerian generals promising untold fortunes of wealth. Over the years, the attacks have evolved into complex spear phishing operations that target specific individuals who can help navigate an organization’s personnel hierarchy or identify digital certificate compromises that lead to command and control over the enterprise infrastructure. In either scenario, the success of the attacks has always been predicated on the fact that users are humans who will occasionally click on or open something that is suspect or compromised.
Now the Bad Guys are getting Smart
More recently, a new, more sophisticated, type of attack is hitting the enterprise. The concept behind the watering hole attack is that in order to insert malware into a company, you must stalk an individual or group and place malware on a site that they trust (a “watering hole”), as opposed to in an email that will be quickly discarded.
Identifying the “Watering Hole”
Inserting malware into a frequently visited site sounds like a great plan, but how do attackers find the right sites? It’s pretty tough to get malware onto the major sites that most people visit like cnn.com or espn.com, so attackers need to know which smaller, less-secure sites (i.e. watering holes) are frequented by employees of the targeted company.
But, how can an attacker know what watering holes users frequents most often? How can an attacker find what watering holes an entire organization or company frequents and how often? And how can they capture this information without anyone clicking anything? The answer…
Users unknowingly provide all of this information simply by surfing the internet as they normally do. When a user surfs the internet from their company today, automated tracking methods used by marketing and ad tracking services identify traffic patterns and accesses. These tracking services silently capture all this information without users ever being aware their actions online are being followed.
This would seem to be harmless information (aside from the irritatingly persistent retargeting ads you must endure), but the tracking services are essentially mapping the behavioral web patterns of your entire organization. This shows which sites employees frequent, and this information also allows attackers to deduce your company’s browsing and cloud services access policies. In other words, it tells an attacker which watering holes you let your users visit.
Planting the Trap
This gives the adversary a map of the sites to target for infiltration. They target the most vulnerable sites, smaller companies or blogs that don’t have strict security. They plant malicious code on the watering hole site. Once the trap is laid, they simply wait for users to visit the sites they have frequented in the past.
The probability of success is significantly higher for watering hole attacks since the attacker has used the tracking service’s data to confirm that traffic to the site is both allowed and frequent. When a user visits the site, the malicious code redirects the user’s browser to a malicious site so the user’s machine can be assessed for vulnerabilities. The trap is sprung.
Malware Phone Home
Once the user steps in the trap by visiting the watering hole they are assessed for vulnerabilities. Using drive-by downloading techniques, attackers don’t need users to click or download any files to their computer. A small piece of code is downloaded automatically in the background. When it runs, it scans for zero-day vulnerabilities (software exploits discovered by the most sophisticated cyber criminals that are unknown to the software companies) or recently discovered exploits that users have not yet patched in Java, Adobe Reader, Flash, and Internet Explorer (that software update from Adobe may be important, after all).
The user’s computer is assessed for the right set of vulnerabilities and if they exist, an exploit, or a larger piece of code is delivered that will carry out the real attack. Depending on the user’s access rights, the attacker can now access sensitive information in the target enterprise, such as IP, customer information, and financial data. Attackers also often use the access they’ve gained to plant more malware into software source code the user is developing, making the attack exponentially more threatening.